Bug 1213596 (CVE-2023-38056)

Summary: VUL-0: CVE-2023-38056: otrs: Improper Neutralization of commands allowed to be executed via System Configuration
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Wolfgang Engel <wolfgang.engel>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: dmueller
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373291/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-24 12:20:14 UTC 
CVE-2023-38056

Improper Neutralization of commands allowed to be executed via OTRS System
Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any
authenticated attacker with admin privileges local execution of Code.This issue
affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS))
Community Edition: from 6.0.1 through 6.0.34.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38056
https://www.cve.org/CVERecord?id=CVE-2023-38056
https://otrs.com/release-notes/otrs-security-advisory-2023-05/
Comment 1 Robert Frohl 2023-07-24 12:21:43 UTC 
affecting openSUSE:Backports:*